[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Layer 2 access and Current Practices



At 8:10 AM -0500 3/4/05, George Jones wrote:
On Thu, 3 Mar 2005 15:01:31 -0500, Howard C. Berkowitz <hcb@gettcomm.com> wrote:

 I certainly can see excluding SOHO, with all of its specialized
 problems. There is a remaining concern for large enterprises and
 hosting centers with gigabit Ethernet or POS/SONET/SDH acceess to
 their upstream IP providers.  The huge bandwidth available to certain
 organization could make them, if compromised by miscreants, huge
 threats to SP network stability.

 To protect the SP network from a compromised high-bandwidth site,
 security measures may be implemented in provider-operated equipment
 at the site, or, more likely, at the POP. As a rule of thumb, if a
 given site has bandwidth comparable to a midsize ISP, I believe it
 has to be given special consideration as a risk, and also a major
 revenue source to be protected.


OK. So what are you suggesting ? What sort of threats do you think need
to be addressed ? It seems to me that basic rate limiting (ommitted from the
first round of Chris' draft but to be added in -01) and filtering would address
most of this.


Thanks,
---George Jones

It's reasonable to do bogon filtering and uRPF at the border to very large sites, as well as rate limiting. Remember that hosting centers are popular DDoS targets.


While I don't think POP design is in scope, it still may be appropriate to suggest, in Chris' -01, that a POP may have a hierarchy of aggregation routers. The lowest are SOHO and medium business, but, for bandwidth reasons, some large customers may come in on hierarchically higher, and more powerful, routers. We don't want to give the suggestion filtering is always at the low edge.

Much of this is probably there in the -01; I just want to make sure a bit of attention is drawn to the special connectivity issues of very large customers, including application service providers.